Add parameter autosign_key_file and Salt Master configuration

Bastian Schmidt · ekohl · ekohl · commit 4ea5cf8aa5be · 2022-01-17T12:27:53.000+01:00
* Add parameter autosign_key_file
* Add docs for autosign_key_file
* Add Salt Master configuration

Co-authored-by: Ewoud Kohl van Wijngaarden &lt;ewoud@kohlvanwijngaarden.nl&gt;
diff --git a/manifests/plugin/salt.pp b/manifests/plugin/salt.pp
@@ -6,6 +6,8 @@
 #
 # $autosign_file::   File to use for salt autosign
 #
+# $autosign_key_file:: File to use for salt autosign via grains
+#
 # $user::            User to run salt commands under
 #
 # $api::             Use Salt API
@@ -28,6 +30,7 @@
 #
 class foreman_proxy::plugin::salt (
   Stdlib::Absolutepath $autosign_file = $foreman_proxy::plugin::salt::params::autosign_file,
+  Stdlib::Absolutepath $autosign_key_file = $foreman_proxy::plugin::salt::params::autosign_key_file,
   Boolean $enabled = $foreman_proxy::plugin::salt::params::enabled,
   Foreman_proxy::ListenOn $listen_on = $foreman_proxy::plugin::salt::params::listen_on,
   String $user = $foreman_proxy::plugin::salt::params::user,
@@ -38,8 +41,23 @@
   String $api_password = $foreman_proxy::plugin::salt::params::api_password,
   Optional[Stdlib::Absolutepath] $saltfile = $foreman_proxy::plugin::salt::params::saltfile,
 ) inherits foreman_proxy::plugin::salt::params {
+  $foreman_ssl_cert = pick($foreman_proxy::foreman_ssl_cert, $foreman_proxy::ssl_cert)
+  $foreman_ssl_key = pick($foreman_proxy::foreman_ssl_key, $foreman_proxy::ssl_key)
+  $reactor_path = '/usr/share/foreman-proxy/salt/reactors'
+
   foreman_proxy::plugin::module { 'salt':
     enabled   => $enabled,
     listen_on => $listen_on,
   }
+
+  file {"${foreman_proxy::etc}/salt/master.d":
+    ensure => directory,
+    mode   => '0755',
+  }
+  file {"${foreman_proxy::etc}/salt/master.d/foreman.conf":
+    ensure  => file,
+    content => template('foreman_proxy/plugin/salt_master.conf.erb'),
+    owner   => 'root',
+    mode    => '0640',
+  }
 }
diff --git a/manifests/plugin/salt/params.pp b/manifests/plugin/salt/params.pp
@@ -6,6 +6,8 @@
   $enabled       = true
   $listen_on     = 'https'
   $autosign_file = "${foreman_proxy::params::etc}/salt/autosign.conf"
+  $autosign_grains_dir = '/var/lib/foreman-proxy/salt/grains'
+  $autosign_key_file = "${autosign_grains_dir}/autosign_key"
   $user          = 'root'
 
   $api           = false
diff --git a/spec/classes/foreman_proxy__plugin__salt_spec.rb b/spec/classes/foreman_proxy__plugin__salt_spec.rb
@@ -24,6 +24,7 @@
         let :params do {
           :user          => 'example',
           :autosign_file => '/etc/salt/example.conf',
+          :autosign_key_file => '/var/lib/foreman-proxy/salt/grains/autosign_key',
           :api           => true,
           :api_url       => 'http://foreman.example.com',
           :api_auth      => 'ldap',
@@ -36,6 +37,7 @@
           should contain_file('/etc/foreman-proxy/settings.d/salt.yml').
             with_content(%r{:salt_command_user: example}).
             with_content(%r{:autosign_file: /etc/salt/example.conf}).
+            with_content(%r{:autosign_key_file: /var/lib/foreman-proxy/salt/grains/autosign_key}).
             with_content(%r{:use_api: true}).
             with_content(%r{:api_url: http://foreman.example.com}).
             with_content(%r{:api_auth: ldap}).
diff --git a/templates/plugin/salt.yml.erb b/templates/plugin/salt.yml.erb
@@ -1,6 +1,7 @@
 ---
 :enabled: <%= @module_enabled %>
 :autosign_file: <%= scope.lookupvar('::foreman_proxy::plugin::salt::autosign_file') %>
+:autosign_key_file: <%= scope.lookupvar('::foreman_proxy::plugin::salt::autosign_key_file') %>
 :salt_command_user: <%= scope.lookupvar('::foreman_proxy::plugin::salt::user') %>
 # Some features require using the Salt API - such as listing environments and retrieving state info
 :use_api: <%= scope.lookupvar('::foreman_proxy::plugin::salt::api') %>
diff --git a/templates/plugin/salt_master.conf.erb b/templates/plugin/salt_master.conf.erb
@@ -0,0 +1,56 @@
+# /etc/salt/master.d/foreman.config Master configuration
+#
+# This file summarizes configurations for the salt-master.
+# Have a look at the [Foreman Salt Plugin Documentation](https://theforeman.org/plugins/foreman_salt/) for detailed explanations.
+#
+# After editing this file, run the following command to active the changes:
+# systemctl restart salt-master
+
+
+##
+# Autosign
+autosign_grains_dir: <%= scope.lookupvar('foreman_proxy::plugin::salt::autosign_grains_dir') %>
+autosign_file: <%= scope.lookupvar('foreman_proxy::plugin::salt::autosign_file') %>
+# Uncomment the next line to make use of the autosign host name file (not recommended)
+# permissive_pki_access: True
+
+
+##
+# Node classifier
+master_tops:
+  ext_nodes: /usr/bin/foreman-node
+
+
+##
+# Pillar data access
+ext_pillar:
+  - puppet: /usr/bin/foreman-node
+
+
+##
+# Salt API access
+external_auth:
+  <%= scope.lookupvar('foreman_proxy::plugin::salt::api_auth') %>:
+    <%= scope.lookupvar('foreman_proxy::plugin::salt::api_username') %>:
+      - '@runner'
+
+rest_cherrypy:
+  port: 9191
+  ssl_key: <%= @foreman_ssl_key %>
+  ssl_crt: <%= @foreman_ssl_cert %>
+
+
+##
+# Remote execution provider
+publisher_acl:
+  foreman-proxy:
+    - state.template_str
+
+
+##
+# Reactors
+reactor:
+  - 'salt/auth': # Autosign reactor
+    - <%= @reactor_path %>/foreman_minion_auth.sls
+  - 'salt/job/*/ret/*': # Report reactor
+    - <%= @reactor_path %>/foreman_report_upload.sls
